The 3 Generations of Software Composition Analysis

Software Composition Analysis (SCA) is a relatively new industry term for a set of tools that provides users visibility into their open source inventory. Despite its misleading name suggesting access to all aspects of the source code (proprietary, third party commercial and open source), software composition analysis in effect acts as a open source management tool only.

SCA tools were born out of a cross-industry rise in open source usage which made it increasingly hard for companies to track open source components manually using spreadsheets, emails and ticketing systems. As open source usage grew to encompass the majority of software creation, it became a necessity to automate the open source management process.

SCA tools come in different forms, offering a range of capabilities from those focused on licensing compliance only to others encompassing both security and license management.

What is Software Composition Analysis?

First and foremost, SCA tools generate an inventory report of all open source components in your products, including all direct and transitive dependencies. Taking inventory of open source usage is critical as it is the basis for properly managing your open source usage. After all, how can you secure or ensure compliance of something you do not know you’re using?

Once all open source components have been identified, SCA tools provide information on each component. Basic information includes the open source license and whether there’s a security vulnerability associated with that component.

Advanced tools offer automatic policy enforcements by cross referencing every open source component found in your code with your organizational policies, triggering different responses from initiating an automated approval workflow to failing the build.

Leading tools are also able to automate the entire process of open source selection, approval and tracking, saving developers precious time and increasing their accuracy significantly. Some such tools are able to alert of vulnerabilities in a component while still on the web, before a pull is made and the component enters the system. Other tools are able to navigate developers to the precise location of a vulnerable component thereby reducing remediation efforts.

Why is SCA Becoming a Must-Have Part of Application Security Portfolios?

Open source components have become the main building block in software applications in all verticals. Yet despite the heavy reliance on open source, most companies have been generally lax about ensuring that open source components meet basic security standards and that organizations are compliant with the required open source licenses.

The need to detect open source components with known vulnerabilities has long been recognized by security organizations like OWASP. Unfortunately, only as hackers realized how lucrative open source vulnerabilities can be and as a result of hackers’ active targeting of these weaknesses, awareness among software development and security teams gradually increased.

It is important to understand that once a vulnerability is made known the community databases and issue trackers where vulnerabilities are made public serve as valuable resources for hackers to obtain details that may help them carry out an exploit.

The more popular an open source component is, the greater the value to hackers of exploiting a vulnerability found in it.

This is where SCA tools come into play. They provide essential security for software comprised in part of open source components. SCA tools identify which open source components a corporation is using in its source code, and match these components with community databases, advisories and issue trackers to bring to the surface any vulnerabilities that may exist in the source code.

SCA tools provide valuable data about a corporation’s open source inventory to executives, development, security and legal teams with the capability to generate reports for visibility.

The Evolution of Software Composition Analysis

SCA tools can broadly be broken down into three phases marked by leaps in technological advances.

1st Generation: Open Source Code Scanning

Around the turn of the millenia (2002 to be precise) open source code scanning offering companies visibility into their open source inventory by identifying snippets of code and matching it with open source databases, became the tool of choice for open source security.

This technology resulted in high percentage of false positives (proprietary and commercial pieces of code identified as open source). To deal with the false positives, professional services were required to manually check the matches found.

Code scanning proved to be an important tool for open source license management and was soon adopted by enterprise companies for this purpose. But the long time it took to scan entire codes, its inability to run alongside the software development lifecycle (SDLC) on a continuous and ongoing basis, and the abundance of false positive results it generated, made it a poor solution for detecting vulnerabilities in the evolving universe of software production where agile methodologies where becoming the norm.

2nd generation: Continuous Open Source Components Management

Fast forward to 2011 and WhiteSource introduced a new technology designed to meet the needs of modern agile production standards.

Continuous management of open source components integrates with different software development tools like repositories, build tools, package managers and CI servers, and identifies the open source components every time you run your build, do a commit etc, therefore detecting issues (from vulnerabilities to licensing problems) in real-time.

The move to real-time detection of vulnerabilities and licensing issues enabled software and security teams to shift left their open source management and find issues earlier in the process when it is easier and quicker to fix.

3rd generation: Effective Usage Analysis

In May 2018 WhiteSource launched the next-generation of SCA solutions. The newly developed technology provides details beyond simply which components are present in the application, delving deeper with actionable insights on how components are being used, highlighting their impact on the security of the application.

The Basic Requirements of SCA

According to the Forrester SCA Wave 2017, It all comes down to what your organization needs, what internal standards you’ve defined for yourself, the regulation you need to meet, your type of service and customers and more.

But here are the basic requirements we believe you need to ensure your SCA does all that it can do for you:

#1 Languages Support

Companies need to ensure that the chosen SCA tool can cover all coding languages used by the organization and that it covers both vulnerability management and license compliance.

#2 Database

Companies relying solely on the NVD are left blind to the risk of new vulnerabilities that have not yet been vetted for inclusion as well as vulnerabilities which will not make it into the NVD as they get posted in individual repositories or project issue trackers. The more comprehensive a database is, aggregating its data from multiple sources, the better it is at covering the grounds and offering a fully secure service.

Software composition analysis tools enable developers and security teams to set up their own policies around vulnerability management and license compliance. Implementing automated policies removes the company’s need to look over their developers’ shoulder, knowing that whatever guidelines were set forth are being enforced throughout the SDLC.

Using SCA tools to enforce policies, a company can rank vulnerabilities by level of severity and decide which vulnerabilities will be approved or rejected from their code. Policies can also be put in place to alert of license noncompliance issues, and can be set to initiate a workflow, trigger alerts, open issue tickets, or even fail the build.

#4 Seamless Integration

SCA tools must integrate seamlessly with repositories and build tools, package managers and CI servers with the goal of giving developers actionable data as early as possible. The best SCA tools are able to support production for the entirety of the SDLC, from pre selection to post deployment.